Use it or lose it: personal data joins the list

Spectrum regulators around the world have long been big fans of the ‘use it or lose it’ principle when it comes to licensing radio spectrum, or specific frequencies, particularly when that spectrum sits in a band that is in high demand. It even merits a mention in the EU’s European Electronic Communications Code, due to take effect before the end of 2020.

By now, those operating in the cyber security world should have adopted their own version of the ‘use it or lose it’ principle, driven by the need to eliminate unnecessary risk. All unused software, and hardware services that are no longer required, should be deleted, disposed of, or turned off.

It is worth noting that a significant proportion of the cyber attacks our Cyber Incident Response Team (CIRT) respond to have occurred solely because someone with malicious intent has exploited functionality that should have been disabled.

As well as reducing the attack surface that a malicious actor might manipulate – thus significantly reducing risk – adopting this ‘regular clear-out’ principle also removes the requirement for upgrading and updating unnecessarily. Efficiency and productivity will be improved significantly as you cut your patching to-do list down to include only the updates you actually need. The UK’s National Cyber Security Centre include this crucial tip in the Secure Configuration element of their ’10 Steps to Cyber Security’.

While personal data should have been a regular feature on the ‘Use It or Lose It’ list, until recently, it has not been. The recent changes in data protection legislation around the world are providing a rather heavy financial incentive to take it seriously from now on.

However, even disregarding the potential fines (which are only imposed after the event in any case), deleting unnecessarily held personal data can potentially reduce the need for any engagement with data protection regulators. One of the critical considerations involved in reporting to regulators is the number of records affected. Retaining only the personal data that you actually require to run your business will help to keep that number down should an incident occur.

The ‘use it or lose it’ principle has been around for a while and it is being applied by some cyber security and privacy professionals, but there is still much more that can be done.

• Survey your cyber estate to identify software, hardware or services you no longer require. Include the view from the outside in, and run a host discovery and passive risk assessment. Whenever we undertake this for clients, we invariably uncover a number of surprises.
• Apply this ‘use it or lose it’ principle to your identity and access management as well. While contractors and temporary staff may only be working with your organisation briefly, virtually they can remain there for ever if you are not tidying up properly as you go.
• Review the personal data that your business needs to function and provide products or services to clients and customers. Delete any data that you no longer have a business need to process. Of course, make sure that you apply your retention policy before you do.

The ever-changing world of cyber security and privacy threats makes it difficult to reduce risks to an acceptable level and then manage them. However, we have found that most organisations could improve their situation and diminish potential risks significantly by taking just these few simple steps.